![[Zobrazit/Skrýt nabídky vlevo]](img/icons/oleftcol.png "[Zobrazit/Skrýt nabídky vlevo]"){kind=icon}
![[Zobrazit/Skrýt nabídky vpravo]](img/icons/orightcol.png "[Zobrazit/Skrýt nabídky vpravo]"){kind=icon}
centralldap.cldn.eu
Replikuje se v rezimu multiple master na centralldap.sit.cldn.eu
| Hesla do ldapu: | |
| LDAP admin | 1:k5aQm5yFh/U= |
| cn=Directory Manager | 1:vbi+tbKrqerp6Ns= |
| uid=replicator,cn=config | 1:FQciAnZ9HQQjPnoAPgUsPk8= |
Scripty pro spravu uctu jsou v adresari /usr/local/scripts.
instalace a zprovozneni SSSD
Import korenove autority
Korenovou autoritu ma smysl importovat jen na cistych instalacich CentOSu. Na nasich OVZ sablonach je jiz autorita pridana.
/etc/pki/ca-trust/source/anchors/BossonRootCA.pem
-----BEGIN CERTIFICATE----- MIIGfTCCBGWgAwIBAgIBATANBgkqhkiG9w0BAQsFADB8MQswCQYDVQQGEwJDWjEP MA0GA1UECBMGUHJhZ3VlMQ8wDQYDVQQHEwZQcmFndWUxHzAdBgNVBAoTFkNsdXN0 ZXIgRGVzaWduLCBzLnIuby4xETAPBgNVBAsTCFNlY3VyaXR5MRcwFQYDVQQDEw5C b3Nzb24gUm9vdCBDQTAeFw0xNDEwMTUxMjA2MzdaFw0zOTEwMDkxMjA2MzdaMHwx CzAJBgNVBAYTAkNaMQ8wDQYDVQQIEwZQcmFndWUxDzANBgNVBAcTBlByYWd1ZTEf MB0GA1UEChMWQ2x1c3RlciBEZXNpZ24sIHMuci5vLjERMA8GA1UECxMIU2VjdXJp dHkxFzAVBgNVBAMTDkJvc3NvbiBSb290IENBMIICIjANBgkqhkiG9w0BAQEFAAOC Ag8AMIICCgKCAgEA47UnZw16H3Bzz6IPHhBOWsG31WhDkfsFzVXhA4tC2ISIAVuX VZWkYxVUrPIpEt0NmO0kEXwq+URF4fMGZOoaqtABRKLBlRTzTsO9uwIjazOh1P2c kDxVB0Tjxe5JOO1nFDP9HwZ4YLzDwBrTln+7SR9oGu9bkO7xuQHWdwSVso3iJJxj 9mtij3IS9nHPyYTfbpHU8Oy9qfqtl+ao7nFRQTKSO4mxJEjMKqj+iM7sDp0htDM4 Quq6TMNOGCFnILqPyvSE08TBbAlnm0frrXetbMzNyfDekdkcRpnm+/y75V9SmRdl TIOJVuJS78ZwpAgqlouH9zwXth3t9VKpb9d1z7w1kaQkE7yducBOL7T7uqr6IY86 s4+ni4sz1qe2d7cX7ar/hCsI5enLJ5w8wRqz/tqzqSVfOzjDsqUZWy3gbYcMkEWb URDSkzMTqG2jqy0AG5n1x1ajEOECyQH8IPmbb+n+KvST3xTYv9eU0P9pvY/rVAvO 4oCED5BTKdYJHO9wM8/6YYgFDHJ1Vy6rS4+gk6pILh9zOS88q811LppnpoP3jvMp GKKdUHix5XBtjbUc0vokFdp1QkyLQCzB2hOQnLK7kk2AP0LcXGqPcYqjSujGBsVC aPEtw0P228LwaYdyu3NL3urXuBDyKhJX9wldfLN6zegcVY12gf+ZCXfDFr0CAwEA AaOCAQgwggEEMA8GA1UdEwEB/wQFMAMBAf8wGAYDVR0RBBEwD4ENY3NpcnRAY2xk bi5jejAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFGWe1OqPZnsUftSHNTsI0JEv qeoEMIGnBgNVHSMEgZ8wgZyAFGWe1OqPZnsUftSHNTsI0JEvqeoEoYGApH4wfDEL MAkGA1UEBhMCQ1oxDzANBgNVBAgTBlByYWd1ZTEPMA0GA1UEBxMGUHJhZ3VlMR8w HQYDVQQKExZDbHVzdGVyIERlc2lnbiwgcy5yLm8uMREwDwYDVQQLEwhTZWN1cml0 eTEXMBUGA1UEAxMOQm9zc29uIFJvb3QgQ0GCAQEwDQYJKoZIhvcNAQELBQADggIB ALB1o0FGTxOnXl3QTFlh1M2UgWMovlLoBAqMQe4+6y7+hfqY2TtqSdHn+EenhkYl EvvpFMYglThY7D+dT/7njmkwWJoU7wGHtOpGPsp+RvKmru3HjBjyaMI6S4ttdddr bCv7U4v68x0BdilwHWCm6fX+gqMPXJZzb0IwbXUsNdsUkz1qJM3ArYXpA6JK7ZiA I1EVfhtJQdP4Sprop+ScglctPUoXO5GLKUUqX7K3wbWAEVRCvH13z/HLwEYeO9fc U1kaA4KHbdZp+oOidZWI+8IV1iTbGLcWDzCz/jb1TxYAmqQ61/+t6n8SObRxd+ni 7tLdyvZ1A+//K6RYNPfKbfd9/u1vkHSadvAx1ABK4krZ2xzSv+WM4QpDMAejRtxh bRoHH8bf6M6DXFtNjMFSSvNy1wOKQZ3L2/SzSpqkxGhIXkvhQTLOATKC7N7J8wyI 53FMibqXWyoi49Wf+NgQeTvdAWm31/mN2zzUvZmDcJXJRlJswysJ96K0UoMnf1Qf YNllxAirc3Zi1KJA3T+jktAZXoPV0LAVbgDrCjlB2dd69OpyI3L5SSXhMC4BDJ3q m0wJohLzk+Q6g8QdeEugbPw4bfRdfXWVdjddj1BiiuYcY4ma4g8HOKV9mFOefUBH a2omuORKRB6wytKrolp6r3j92wcZp0YEXTGlqgRaOtPy -----END CERTIFICATE-----
update-ca-trust
update-ca-trust extract
Instalace SSSD
Instalace
yum install sssd
/etc/sssd/sssd.conf
[domain/default] ldap_schema = rfc2307 debug_level = 3 ldap_id_use_start_tls = True ldap_tls_reqcert = try cache_credentials = True ldap_search_base = dc=<customer_name>,dc=customers,dc=cldn,dc=eu krb5_realm = # id_provider = ldap auth_provider = ldap access_provider = simple chpass_provider = ldap ldap_access_order = filter ldap_group_member = memberuid simple_allow_groups = <group_1>, <group_2> ldap_user_search_base = ou=users,dc=<customer_name>,dc=customers,dc=cldn,dc=eu ldap_group_search_base = ou=groups,dc=<customer_name>,dc=customers,dc=cldn,dc=eu ldap_uri = ldaps://centralldap.cldn.eu:636,ldaps://centralldap.sit.cldn.eu:636 ldap_default_bind_dn = uid=reader,ou=customer_accounts,dc=<customer_name>,dc=customers,dc=cldn,dc=eu ldap_default_authtok_type = password ldap_default_authtok = <password_for_reader> enumerate = True krb5_server = kerberos.example.com [sssd] services = nss, pam config_file_version = 2 domains = default [nss] [pam] [sudo] [autofs] [ssh] [pac]
chmod /etc/sssd/sssd.conf
chmod 600 /etc/sssd/sssd.conf
Authconfig
authconfig --enablesssd --enablesssdauth --enablecachecreds --enableldap --enableldaptls --enableldapauth --disablenis --disablekrb5 --enablemkhomedir --enablelocauthorize --updateall
sssd cache
sss_cache -E
Povoleni su pro skupinu sysadmin
su - for sysadmin group
add to /etc/pam.d/su: #auth required pam_wheel.so use_uid +auth sufficient pam_wheel.so group=sysadmins trust use_uid auth substack system-auth
![[přepni]](javascript:icntoggle('mod-Application_Menuleft1','module.png'); "[přepni]"){kind=small}